Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Bootstrapping trusted certificates

By default Authentication Services for Smart Cards is configured to automatically retrieve trusted certificates and CRLs from Active Directory. It is possible to do this securely because Authentication Services sets up a secure communication channel at join time using the symmetric host key that it uses to join itself to the domain.

Active Directory stores trusted certificates for smart card login in the NtAuthCertificates container which is located by the LDAP distinguished name.

CN=NtAuthCertificates,CN=Public Key Services,CN=Configuration,
DC=<domain>,DC=<domain>,…

By default, any certificates placed in this location in Active Directory are automatically distributed to both Windows and Authentication Services for Smart Cards clients.

Authentication Services for Smart Cards places these trusted certificates in the NtAuth subdirectory of the /var/opt/quest/vas/certs directory.

Note: You should not place any additional certificates in this subdirectory as they may be deleted from time to time. You may however place additional trusted certificates directly in the /var/opt/quest/vas/certs directory.

Automatic CRL retrieval

By default Authentication Services for Smart Cards retrieves any CRLs that are required to verify the certificates presented by Active Directory and automatically updates these as they expire and new certificates are issued. To be able to retrieve CRLs, the certificates to which they correspond must contain a CRL distribution points extension that contains an LDAP URI from which to download the CRL.

CRLs are stored in the /var/opt/quest/vas/crls directory.

Options for controlling certificate and CRL processing

Authentication Services provides a number of vas.conf options for configuring bootstrapping behavior.

Table 3: Options for configuring Bootstrapping behavior
Option Function
auto-crl-download Whether to automatically download CRLs as needed.
auto-crl-removal Whether to remove out-of-date CRLs from the cache automatically.
bootstrap-trusted-certificate Whether trusted certificates should be automatically retrieved from Active Directory.
trusted-certs-update-interval How often trusted certs and CRL should be updated (default 8 hours).
auto-crl-download-bind-type How to bind to the LDAP directory when retrieving CRLs.

Managing certificates and CRLs

Related Documents